access denied "http://indigodomo.net:14076

Hi folks.

Any ideas what process this log entry might correspond to?

WebServer access denied "http://indigodomo.net:XYZ/" from welch @ 127.0.0.1

I'm seeing it around every 2-3 minutes. I cannot find anything that is trying to use port XYZ for any host/domain (from my localhost/server or anywhere), much less indigodomo.net.

I've searched my plugins, the forums etc. and cannot find anything.

Thanks in advance for any thoughts.

--greg

[matt (support)]

Hi Greg,

That port is likely the one assigned to your Indigo reflector, so this is something or someone likely hitting your Indigo reflector URL. If you would like us to change your reflector name then send us an email with the current reflector name and the new name. That will likely prevent the problem.

Matt, there’s another report of this on another thread where user is intentionally accessing his reflector but with same log entry.

Is the log correct in that it’s missing the reflector name?

I see it’s coming from 127.0.0.1 which wouldn’t be an attacker from outside, it’s something on the Mac failing to talk to reflector isn’t it?


Sent from my iPhone using Tapatalk Pro

Sorry about the "XYZ" in the body of my original post—I'm not sure what I was (or was not) thinking when I typed that. In any case, it is always port 14076 as the subject of the post indicates:

access denied "http://indigodomo.net:14076/" from welch @ 127.0.0.1

I've tried some other things:

I made sure all of my used plugins were up to date—no change in behavior. (They are: Cynical Weather; Dimmer Extender; Fantastic Weather; FindFriendsMini; NOAA Weather Plus; Timed Devices; Timers and Pesterers; Trane Nexia; Yamaha RX Receiver; and Z-Wave Lock/Code Manager.)

I disabled all of the plugins—no change in behavior.

I checked my Indigo server port settings: web server override is 8176, remote clients is 1176.

I reset (and re-activated) my Indigo reflector—no change in behavior.

Because I use Simon by Dejal (https://dejal.com/simon/) to periodically check both the Indigo web server and reflector—I confirmed they are using the correct ports (not 14076); I disabled the checks; I quit Simon—no change in behavior.

I checked the Simon (above) logs, and there is nothing related—the web and reflector checks appear to succeed every time.

I searched the macOS system logs (all logs I could find) and cannot find anything interesting/relevant around the times of the denial reports.

I was thinking there might be a way to increase the Indigo log detail (set a different log level) but I can't find anything.

It does seem to be coming from localhost, and regularly (every ~3 minutes). My reflectors seems to work fine (and I tried resetting it as I indicated above).

Puzzling....

P.S. I'm excited to update to Indigo v2021.1 but holding off until I check on the status of my plugins, etc.

I’m confused - have you upgraded to 2021.1 yet?

If not that’s a good piece of info for Matt/Jay.


Sent from my iPhone using Tapatalk Pro

No, I have not upgrade to 2021.1. I'm running 7.5. As I indicated in my PS (previous post) I'm holding off upgrading for other reasons. Thanks.

Thanks, it’s your previous post that implied that to me - I’d thought everyone (on other threads) with this error was on 2021, which suggests it’s possibly an error in 2021.

The fact you’re seeing it in 7.5 suggests it’s the backend web server at indigodomo (which probably will have had tweaks in preparation for 2021)


Sent from my iPhone using Tapatalk Pro

So if I disable the reflector (uncheck "Enable anywhere secure access....") and restart the server, it appears the message goes away. When I re-enable the deflector, the message comes back.

I have tried the default reflector port (that's what I have been using all along), and all three alternate port choices, and for all the "access denied" messages continue to occur.

I'm currently wondering if it is a router (e.g., NAT) issue. I'm checking the router settings, logs, etc. but not seeing anything obvious.

@Matt: can you think of any port, route, etc. router settings the might be relevant? E.g., should I try a port map, and if so, what port(s)? (Thanks—I am sure you are exceptionally busy fielding new release questions, etc.)

[jay (support)]

When you have the reflector enabled, can you hit it in a web browser?

Generally when we see those messages it's because some bot out on the net is doing port scans. However, if it's coming from your internal network that's probably not it. The port number should never be used, you should always use https://REFLECTORNAME.indigodomo.net/. If you have something that's using the port directly then seems like that's where the problem is coming from. Disabling the reflector stops it only because the HTTP request from whomever is sending it isn't making it to your Indigo Server.

Hi Jay. Yep—when I have the reflector enabled, I can reach the site (https://REFLECTORNAME.indigodomo.net) from a web browser—on that server and other machines. I get the Indigo Web page (Devices, Actions, Variables, and Control Pages) as expected.

Everything you say makes sense to me, but I still cannot find anything that is trying to connect w/ port 14076 or any port designation for that matter. All uses of the reflector that I am aware of in our house only used indigodomo.net without a port designation.

While not the localhost, I even checked Indigo Touch on my wife's and my iPhones, but nothing there. I even powered them down for a bit—access denied message still occurred like clockwork.

No surprise, but when I shut down the cable modem, the errors stopped (though Indigo complained about not reaching the reflector, of course), then when I restored it, and Indigo tried again (15 minutes later), the message re-appeared.

Hmm...I went back and searched the logs, and I believe this all started happening on the day (and even the time...) when I changed the server password (necessary). Could I have messed something up in the process? As I recall I just stopped the server, and then restarted it w/ a new password. I then went and changed it in Simon (previous post) and on our two Indigo Touch devices (iOS). All seem to be working fine since then, through the reflector.. My new server password is 16 characters w/ upper+lower case letters, numbers, and symbols (one or more of each).

Thank you!

[matt (support)]

Ignore the port number in the error message. That is the internal port number used on our backend that maps to your reflector, so that error means that someone/something is trying to access your reflector with bad/wrong credentials. It could be a browser open on a device, Indigo Touch on an iPad, etc., or as Jay mentioned it could be a bot trying to dictionary attack against the address. If you cannot locate the source of the requests, then we can change your reflector name and the problem will likely stop.

As soon as I read your latest response (Matt), and re-considered what Jay had said, I realized that I had a Simon (Dejal) process running on my work machine, and sure enough I had a check of the reflector there too—with the old password. Why I wanted one there and on my home server, I don't know—I think I got excited about using Simon to check things for me. In any case, removing that Simon test/check seems to have eliminated the failed (denied) attempts. Dang—sorry for the fire drill.

Thank you Matt and Jay—you guys rock.

Hi Jay and Matt,

I started having erratic behavior of our garage door last night and decided to change password. I have all the main devices that check indigo converted over to the new password but I am still having these error messages - could this mean that my reflector has been compromised? Should I be changing the reflector to eliminate this issue? I'm having this same issue as OP, but don't have another check of my reflector up or down!

I'm on v2021.2 and haven't changed over to 2022.1.1 due to the massive overhaul needed in all scripts.

Thank you,
Daniel

[jay (support)]

No - if your reflector had been compromised you wouldn't see the access denied error, but rather your Indigo devices would be being controlled when they shouldn't. If it's happening regularly, then it's likely that you have something outside of Indigo that you've set up to talk to it. It should be failing right now since it's not able to authenticate correctly.

Hi Jay,

Was having something controlled outside of our doing the button presses - thus the change of password. Found a couple of other app locations that were pinging the server and corrected that, but the server auth message are still present! <--UPDATED

Thank you,
Daniel